Download presentation

Presentation is loading. Please wait.

Published byJustin Egle Modified about 1 year ago

1
Rennes, 23/10/2014 Cristina Onete maria-cristina.onete@irisa.fr Commitment Schemes and Identification/Authentication

2
Commitment Schemes AliceBob Example : Alice and Bob must agree who will clean tonight They are at their offices. Each tosses a coin & they call: If tosses are the same, then Alice cleans If tosses are different, then Bob cleans Who talks first? Bob Alice Cristina Onete || 24/10/2014 || 2

3
Commitment Schemes Alice Bob Alice and Bob toss Alice talks first Bob talks first Bob Alice How can we avoid this? Bob says he tossed the same value Alice says she tossed the opposite value Cristina Onete || 24/10/2014 || 3

4
Commitment Schemes AliceBob Commitment: an envelope with a strange seal Alice talks first Commit phase: she hides toss in envelope, gives it to Bob Reveal phase: Alice tells Bob how to unseal envelope Bob reveals toss Bob cleans Cristina Onete || 24/10/2014 || 4

5
Commitment Schemes AliceBob Properties: Hiding: The content of the envelope is not visible Bob doesn’t know anything about Alice’s toss Binding: Alice can’t change the content in the envelope Alice can’t cheat after getting Bob’s toss Cristina Onete || 24/10/2014 || 5

6
Commitment Schemes Alice Bob Formally: Commitment hiding: …………………… Commitment binding: Cristina Onete || 24/10/2014 || 6

7
Pedersen Commitments AliceBob …………………… Impossible Cristina Onete || 24/10/2014 || 7

8
Pedersen Commitments AliceBob …………………… Hiding: Cristina Onete || 24/10/2014 || 8

9
DLog-based Commitments AliceBob …………………… Computationally hiding: DLog Perfectly binding by construction Cristina Onete || 24/10/2014 || 9

10
Cristina Onete || 25/09/2014 || 10 Exercise 1 Consider a hash function H Use the commitment scheme Is this commitment binding if H is one-way? If H is one-way, is this commitment hiding?

11
Cristina Onete || 25/09/2014 || 11 Exercise 2 Use the commitment scheme Is this commitment binding? Is this commitment hiding? What happens if the value s is known?

12
Cristina Onete || 25/09/2014 || 12 Exercise 3 Use the commitment scheme Is this commitment hiding? Is this commitment binding?

13
Cristina Onete || 25/09/2014 || 13 Identification & Authentication ProverVerifier Goal (identification) : The prover wants to convince the verifier she is who she pre- tends to be Example: interview/application/exam Goal (authentication) : Prover wants to prove she’s legitimate Example: owner of a house, student at University, etc ID

14
Cristina Onete || 25/09/2014 || 14 Challenge-Response Two-move protocol Verifier starts, sending a challenge Prover sends a response Based on the challenge-response, the verifier must make his decision ProverVerifier challenge response

15
Cristina Onete || 25/09/2014 || 15 Challenge-Response Prover Verifier challenge response Symmetric authentication: Verifier stores a keyring of many keys (each corresponding to one prover) Goal of challenge-response: verifier can decide whether the prover is legitimate or not Shared Property 1: a legitimate prover can always authenticate Property 2: an illegitimate prover can never authenticate

16
Cristina Onete || 25/09/2014 || 16 Challenge-Response Prover Verifier challenge response Shared Exercise 4: Can the set of possible challenges be small?

17
Cristina Onete || 25/09/2014 || 17 Challenge-Response Prover Verifier challenge response Exercise 5: Design a challenge-response protocol using a symmetric encryption function Now use a PK encryption scheme Use a pseudo-random hash function Now use a signature scheme Use a commitment scheme and a 1-way hash function

18
Cristina Onete || 25/09/2014 || 18 Exercises Exercise 6: Prover Verifier Use the protocol above, assuming the hash function produ- ces pseudo-random outputs What is a simple denial-of-service attack that an attacker can run against a verifier who stores very many keys?

19
Cristina Onete || 25/09/2014 || 19 Exercises Prover Verifier Exercise 7: A mutual authentication protocol is one in which both parties can verify the legitimacy of their partner Start from a basic 2-move challenge-response protocol. Can you think of a 3-move protocol that ensures MUTUAL authentication? Design a mutual authentication protocol using only a (keyed) hash function. What are the required properties?

20
CIDRE Thanks!

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google